You are on page 1of 5

Access Control List Mediation System for Large-Scale Network

Kanghee Lee*, Zhefan Jiang*, Sangok Kim*, Sangwook Kim*, Sunkyung Kim**
*Dept. Computer Science, Kyungpook National University, South Korea
**Dept. Computer and Information Engineering, Daegu University, South Korea
{khlee, zfjiang, sokim, swkim}@cs.knu.ac.kr, skkim@daegu.ac.kr

Abstract compile result of high-level policy language that using


by mediation system. This system enables the
Large-Scale network such as the Internet consist of administrator to enforce a security policy onto a large
a large number of sub-networks. Since each sub- number of sub-networks and lower layer devices
network has management privileges and policies simultaneously.
individually, it is difficult to respond to harmful traffic
such as warm viruses that affect entire networks. In 2. Access Control List Mediation System
this paper, we propose a high-level policy language Architecture
and a middle-level data structure. They were named
Triton language and Common Access Management A large-scale network consists of a lot of sub-
Form (CAMF). It enables the administrator to networks, and each sub-network includes smaller sub-
authorize a policy effectively and rapidly. Large-scale networks. The Internet structure is hierarchical, like a
networks have a number of administrators so that tree structure [2]. To manage a large-scale network
policy collision can occur. Access control list such as the Internet, we must consider such network
mediation system selects or adapts the most important structure from a hierarchical point of view.
policy among colliding policies through a policy To perform the large-scale security management
importance valuation. effectively, a security policy should be sent to each
sub-network simultaneously. This is done because of
1. Introduction the characteristics of traffic such as the worm virus,
which has recently done much damage to the Internet.
Most of the Internet infrastructures were designed The extent of damage is not restricted with in a sub-
more to withstand physical failures such as broken network but expands into the entire network. To
wires or computers rather than harmful traffic launched respond to the harmful traffic and minimize the
by legal network users. The rapid growth of the damage, a domain administrator must control the entire
Internet, however, coupled with its cost-effective net-work. Harmful traffic such as the worm virus
capability to move data across geographically spreads rapidly so the control must also be more rapid.
dispersed heterogeneous information systems, has The control is performed by sending a policy to each
made it a virtual breeding ground [1]. lower layer device. In this process, it is necessary for a
It is particularly difficult for each network domain administrator to simultaneously enforce the
administrator to individually respond to harmful traffic policy upon the entire network. In a large-scale
that influences large-scale network. An architecture network, the policy should be of a high-level language
that allows a network administrator to manage entire because a domain administrator is not expected to be
networks simultaneously is, therefore, necessary. aware of all network information separately.
In this paper, we propose a high-level language that Since each lower layer device is controlled by
specifies the security management policy for large- various ACL, the policy for the entire network may
scale network and a mechanism for rapidly delivering become innumerable. The relationship with the
such a policy to the entire network. A high-level policy network structure and the traffic form is low because
language (Triton) allows a domain administrator to ACL is a simple control rule. To integrate various ACL
manage large-scale networks consisting of devices and represent the semantic relationship with a
heterogeneous devices from an abstract point of view. network structure and traffic form, it is necessary to
And a middle-level data structure (CAMF) is the

Proceedings of the Sixth International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT05)
0-7695-2405-2/05 $20.00 2005 IEEE
use a high-level language that specifies abstract details and particular policies are a little different
policies for network management. depending on each domain.
Therefore, large scale network policies provide
2.1 Hierarchical Domain Structure framework, take a side view of the abstract, and
convert abstractive policies into specific policies for
A large-scale network such as the Internet has a practical applications. To authorize a policy such as the
hierarchical structure as shown in Figure 1. Each sub- above, an abstractive approach for the entire network is
network consists of smaller sub-networks that have the necessary. The common attributes of abstracts are the
privileges to enforce security policies to lower layer meanings and structures of each domain consisting of a
devices [3]. large-scale network.
In this paper, the domain is defined as a unit that The high-level policy language proposed in this
can establish and enforce a security policy. Domains paper is able to describe traffic information in the
may be used to model the hierarchical structure of the abstractive aspect and approach the network
system, which also enables policy specification and information of each domain in an intuitive method. It is
logically-centralized system administration. able to write and analyze a policy rapidly as an
As shown in Figure 1, a domain in a large-scale approaching general grammar structure for
network is an abstraction of sub-networks [4]. It has programming language. The following is an example
different structures and characteristics. Although the of the high-level language:
policy has the same meaning, the context of policy
may be different in each domain. The policy of each Policy SamplePolicy triggered by EVENT_ALERT
domain can influence the policy of other domains. It {
needs the basic information for device, traffic and Range R1 = [ x:IP | "10.1.1.5" <= x <=
network service to specify a policy. "10.1.1.20" ];

Incoming {
For ( "DomainA", "DomainB", "DomainC" )
{
if(src_addrinR1&&dst_port==8080)
{
deny(3,essential);
}
}
}
}

The policy is named SamplePolicy and is triggered


Fig 1. The Structure of Domain by the alter event. R1 defines the range of policy
enforcement and represents the IP address range
In a large-scale network, a security policy is between 10.1.1.5 and 10.1.1.20 The policy is
authorized by a higher domain administrator, who must enforced in DomainA, DomainB and DomainC
have information about all lower domains. However, a to deny an incoming packet with 8080 as a destination
higher domain administrator cannot know all the port. The parameters of the denial statement are for
information. The forms of policies may also be policy mediation. 3 represents a priority while
changed a little even though they have same semantic. essential represents an essential policy. As shown in
above example, a high-level language uses intuitional
2.2 High-Level Security Policy keywords such as srcaddr and dstaddr to represent
detail conditions. These keywords generalize control
Generally the traffic control form in network forms of network devices and allow a domain
devices uses network packet information such as the IP administrator to authorize a policy effectively. The
address, port number and protocol. The control of syntax of the high-level language is similar to the
traffic in the domain requires details such as its general programming language syntax. It uses a block
architecture, service type and administrative policy [5]. for efficient policy structure.
We cannot, however, disregard the details when
making a policy from the network management point
of view. This is because large amounts of domain

Proceedings of the Sixth International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT05)
0-7695-2405-2/05 $20.00 2005 IEEE
2.3 CAMF(Common Access Management This is a situation of executing a policy to deny a
Form) packet with destination port 8080 in some domain. An
acceptant policy accepts a packet that with destination
High-level language enables the enforcement of a port 8080 delivered from a higher domain. In this case,
policy without detail information about each domain. It we simultaneously apply two impossible policies
is, however, difficult to enforce a policy on lower layer which are denial and acceptance of destination port
domains directly because the ACL for controlling the 8080 in the same area. This is where policy collision
lower layer device is very concrete and varied occurs.

Fig 3. The Situation of Policy Collision

Fig 2. The Structure of CAMF 3.2 Policy Mediation

The CAMF is a mediator between the high-level Policy mediation is a process used to select one
language and the ACL of the lower layer device. The policy among policies that collide. The selected policy
CAMF makes it easy to translate a high-level language must semantically be most important. The process can
to ACL. The CAMF should include information on be done using the following methods:
various forms of lower layer devices. The Figure 2 First, a domain policy server enforces a higher
shows the structure of the CAMF: domain policy above all. This method, however,
A CAMF includes the basic policy information, discolors the meaning of the hierarchical domain layer
ACL information for a lower layer device, and the structure because the highest domain has absolute
policy mediation information. A policy has a unique privilege in the entire network.
name and is shown as a list. Second, a domain policy server enforces the most
recent policy. This method preserves the meaning of
the hierarchical domain layer structure because the
3. Access Control List Mediation privileges of the higher and lower domains are treated
Mechanism equally in the entire network. However, this method
raises a problem because it does not recognize the
A Security mechanism for a large-scale network priority of the higher domain policy.
divides the entire network into higher domain and Lastly, a domain administrator personally selects a
lower domain. Since the administrator of each domain policy among colliding polices. In this case, the
can individually authorize a policy, policies of higher domain administrators intension is reflected.
domains and lower domains may collide with each However, the speed of policy enforcement may
other. When policy collision occurs, one of the become slower. This method is, therefore, not
colliding policies must be selected while the rest appropriate when responding to harmful traffic, such as
should be discarded. the worm virus, which propagates rapidly.
Consequently, policy mediation in a large-scale
3.1 Policy Collision network sufficiently reflects the domain
administrators intention. The policy of a higher
When many policies that cannot be executed domain must be enforced as preferentially as possible.
together in the same area are applied simultaneously, Privilege for policy enforcement of each domain
policy collision occurs. Figure 3 represents a typical should be treated equally, though.
example of policy collision.

Proceedings of the Sixth International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT05)
0-7695-2405-2/05 $20.00 2005 IEEE
Policy mediation requires policy importance policy with. The items included in the domain
valuation. The core factor for policy importance negotiation information are the following:
valuation is the domain administrators intention. The
policy should, therefore, include information that - Entire range
reflects domain administrators intention [6]. - Direction (incoming packet/outgoing packet)
In this paper, policy importance is presented by - Protocol (IP/ICMP/IGMP/TCP/UDP) / item IP
priority. A domain administrator invests on a policy address range
with priority according to the provided criterion. - TCP/UDP port range / item lower layer device
When a domain administrator authorizes a policy, a type (router/firewall/web server)
policy group is defined with policy as a keyword of
the high-level language, which invests the CAMF list The higher and lower domains have separate policy
with the same policy name. However, each CAMF priorities for each range. Each domain divides
may have a different priority according to the domain privileges for policy enforcement. Figure 5 shows the
administrators intention even though each CAMF is information structure for domain negotiation.
included in the same policy group. In a process of If the priority for the entire range is 5, the priority
policy mediation, a unit for comparison between for TCP protocol is 4 and the priority for destination
policies is not the CAMF list, but a single CAMF. The port from 2000 to 3000 is 3, then the priority for
following is an example of policy mediation according destination port from 2000 to 3000 is duplicated in
to policy priority: three ranges: entire range, TCP protocol range,
In Figure 4, there are three CAMF lists that are destination port range. In this case, the selected priority
classified as A, B, C. A and B are currently applying is 3 because the highest priority among the priorities
policies while C is a new policy. The policy priority of for duplicated ranges is 3.
each CAMF is shown in parentheses.
A and B do not collide with each other because they
passed through policy mediation. However, A and C
may collide with each other, and B and C may collide
with each other. Suppose that policy collision occurs in
the following:
CAMF A3 and C1 collide with each other and B4
and C3 collide with each other. One between A3 and
C1 must be selected in this case and what ever is left
must be discarded. B4 and C3 should be dealt with in
the same manner. The policy mediation is basically Fig 5. The Structure of Domain Negotiation
performed by priority. Therefore, in A3-C1, A3 is
Basically the higher domain has a higher priority
selected and C1 is discarded. In B4-C3, B4 is
than lower domain. Therefore, the higher domain has
discarded and C3 is selected. The final policy is shown
privilege for policy enforcement about ranges not
in Figure 4.
mentioned in domain negotiation. The core of the
domain negotiation is to guarantee the absolute
privilege for the minimum range that the lower domain
man-ages. A higher domain administrator examines
such requirement of a lower do-main administrator.
Figure 6 shows the sequence of domain negotiation.
The final result of domain negotiation is a contract
Fig 4. The Policy Mediation Process for dividing the privileges of policy enforcement
between the higher domain and the lower domain. This
The core criterion for policy mediation is a result specifies the privilege range for each domain to
negotiation between the higher domain and lower enforce a policy.
domain. Basically, the privilege of the higher domain
is higher than the privilege of the lower domain.
However they should promise a range of privileges
before a process of policy mediation. In this paper,
such promise is called a domain negotiation.
The privilege of a domain administrator is the range
of priority that a domain administrator can vest a

Proceedings of the Sixth International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT05)
0-7695-2405-2/05 $20.00 2005 IEEE
Consequently, granting that a policy is enforced to a
multiply layer network environment, the response time
is very short. If that enforcement structure is complex,
the entire response time is not affected.

5. Conclusion
We propose policy enforcement and a mediation
mechanism for large-scale networks. The proposed
mechanism allows an administrator to simultaneously
enforce policies to the entire network. The large-scale
network can, therefore, respond to harmful traffic that
has rapidly propagated.
The high-level language is provided to effectively
Fig 6. The Sequence of Domain Negotiation authorize a policy, enabling it to rapidly enforce a
policy onto a large-scale network through an
For example, in a domain negotiation such as that abstraction of information and a control form for lower
performed above, the higher domain has the highest layer devices. The policy collision in the multiple-layer
priority 3 for the entire lower domain and the lower structures of a large-scale network leads to confusion.
domain has highest priority 5. However, for port Therefore, such collision should be detected and
range1025-2000, the lower domain can have the resolved. The proposed mediation mechanism selects
highest priority 2. That is, for a particular range, the the most important policies among the colliding
lower domain has a relatively higher privilege than one polices, according to the administrators intentions.
of the higher domain.
6. References
4. Evaluation
1. S. Hariri, Qu Guangzhi, T. Dharmagadda, M. Ramkishore:
Impact analysis of faults and attacks in Large-scale
Figure 7 represents the policy enforcement time networks, Security Private Magazine, IEEE,Volume1,
according to the number of nodes and layers. As shown pp.49-54, Sept-Oct2003
in Figure 7, the lower layer devices, the longer the 2. Duan Haixin, Wu Jianping, Security management for
response time for the policy is enforced. However, the large computer networks, APCC-OECC99, Vol2,
rate of increase becomes blunter and blunter. pp.1208-1213, 18-22Oct.1999
3. Sung Kang, An efficient design of large-scale
communication network with a decomposition technique,
Circuits and Systems, IEEE Transactions on Vol27,
pp.1169-1175, Dec1980
4. E.C. Lupu, M. Sloman, Conflicts in policy-based
distributed systems manage-ment, Software Engineering,
IEEE Transactions on Vol25, pp.852-869, Nov-Dec.1999
5. D.C. Verma, S. Calo, K. Amiri, Policy-based
management of content distribution networks, Network,
IEEE, pp.34-39, Mar-Apr2002
6. D.C. Verma, Simplifying network administration using
policy-based manage-ment, Network, IEEE, Vol16,
pp.20-26, Mar-Apr.2002
Fig 7. Simulation Result

There are three graphs which represent different


environments. M1 shows the environment constructed
by single domain policy server and a single layer. M2
shows the environment constructed by the 6 domain
policy servers and 2 layers, and M3 shows the
environment constructed by 26 domain policy servers
and 3 layers. According to each environment, the
enforcement time is a little different no matter how
similar the time I s in a large number of nodes.

Proceedings of the Sixth International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT05)
0-7695-2405-2/05 $20.00 2005 IEEE